Weave Communications (WEAV) Risk Analysis

We depend upon our information technology ("IT") systems to conduct virtually all of our business operations, ranging from the operation of our platform, our internal operations and research and development activities to our marketing and sales efforts and communications with our customers and integration partners. Individuals or entities may attempt to penetrate our network security, or that of our platform, and to cause harm to our business operations, including by misappropriating our proprietary information or that of our customers, employees and integration partners or to cause interruptions of our products and platform. In particular, cyberattacks (including ransomware) and other malicious internet-based activity continue to increase in frequency and in magnitude generally, and cloud-based companies continue to be targeted. In addition to threats from traditional computer hackers, malicious code (such as malware, viruses, worms, and ransomware), employee theft or misuse, password spraying, phishing, credential stuffing, and denial-of-service attacks, we also face threats from sophisticated organized crime, nation-state, and nation-state supported actors who engage in attacks (including advanced persistent threat intrusions) that add to the risk to our systems (including those hosted on GCP or other cloud services), internal networks, our customers' systems and the information that they store and process. Because the techniques used by such individuals or entities to access, disrupt or sabotage devices, systems and networks change frequently and may not be recognized until launched against a target, we may be required to make further investments over time to protect data and infrastructure as cybersecurity threats develop, evolve and grow more complex over time. We may also be unable to anticipate these techniques, and we may not become aware in a timely manner of such a security breach, which could exacerbate any damage we experience. Additionally, we depend upon our employees and contractors to appropriately handle confidential and sensitive data, including customer data, and to deploy our IT resources in a safe and secure manner that does not expose our network systems to security breaches or the loss of data. We have been and will continue to be subject to cybersecurity threats and incidents, including denial-of-service attacks, employee errors or individual attempts to gain unauthorized access to information systems. Any information security incidents, including internal malfeasance or inadvertent disclosures by our employees or a third-party's fraudulent inducement of our employees to disclose information, unauthorized access or usage, virus or similar breach or disruption of us or our service providers, such as GCP, could result in the loss of confidential or personal information, damage to our reputation, erosion of customer trust, loss of customers, litigation, regulatory investigations, fines, penalties and other liabilities. Furthermore, we are required to comply with laws and regulations, including stringent regulations such as the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), that require us to maintain the security of personal information and we may have contractual and other legal obligations to notify customers, regulators or other relevant stakeholders of security breaches. Such disclosures could lead to negative publicity, may cause our customers to lose confidence in the effectiveness of our security measures and require us to expend significant capital and other resources to respond to and/or mitigate the security breach. Accordingly, if our cybersecurity measures-or those of GCP or our service providers---fail to prevent unauthorized access, attacks (including sophisticated cyberattacks), or data compromises, the consequences could be significant. Additionally, if our employees or contractors mishandle data, then our reputation, customer trust, business, results of operations and financial condition could be adversely affected. While we maintain errors, omissions, and cyber liability insurance policies covering certain security and privacy damages, we cannot be certain that our existing insurance coverage will continue to be available on acceptable terms, and in sufficient amounts, to cover the potentially significant losses that may result from a security incident or breach or that the insurer will not deny coverage as to any future claim.

We process business and personal information belonging to our customers and employees and because of this, we are subject to numerous federal, state, local, and foreign laws, orders, codes, regulations, and regulatory guidance regarding privacy, data protection, information security, and the processing of personal information and other content (collectively, "Data Protection Laws"), the number and scope of which are changing, subject to differing applications and interpretations, and may be inconsistent among countries, or conflict with other rules, laws, or Data Protection Obligations (defined below). These laws and regulations include HIPAA, which establishes a set of national privacy and security standards for the protection of PHI by health plans, healthcare clearinghouses and certain healthcare providers, referred to as covered entities, and individuals and entities that perform services for them which involve the use, or disclosure of, individually identifiable health information, known as business associates and their subcontractors. We are considered a business associate under HIPAA, and we execute business associate agreements ("BAAs") with our customers, subcontractors, and trusted suppliers. HIPAA requires covered entities and business associates, such as Weave, and their covered subcontractors to develop and maintain policies and procedures with respect to PHI that is used or disclosed, including the adoption of administrative, physical and technical safeguards to protect such information. Failure to comply with HIPAA could subject us to direct civil liability by the Department of Health and Human Services' Office for Civil Rights ("OCR"). In the event of an information security incident affecting PHI or other violation, OCR could require us to pay a civil monetary penalty and enter into a Corrective Action Plan that could cause to incur substantial compliance costs. Similar Data Protection Laws are in place in Canada, including the PIPEDA. Failure to comply could subject us to investigation and monetary penalty by the Office of the Privacy Commissioner of Canada. In addition, experiencing a breach of personal information or PHI, or failing to comply with HIPAA could also subject us to contractual liability under our BAAs with our covered entity customers and damage our reputation which might hurt our ability to retain existing customers or attract new customers. We expect that there will continue to be new Data Protection Laws and Data Protection Obligations, and we cannot yet determine the impact such future Data Protection Laws may have on our business. We are also subject to the terms of our internal and external privacy and security policies, codes, representations, certifications, industry standards, publications, and frameworks, which we refer to as Privacy Policies, and obligations to third parties related to privacy, data protection, and information security ("Data Protection Obligations"). The requirements or obligations of the regulatory framework for privacy, information security, data protection, and data processing worldwide is, and is likely to remain, uncertain for the foreseeable future, and it is possible that these or other actual or alleged obligations may be interpreted and applied in a manner that is inconsistent from one jurisdiction to another and may conflict with other rules or our practices. Any significant change in Data Protection Laws or Data Protection Obligations, including without limitation, regarding processing of our users' or customers' data, or regarding the manner in which the express or implied consent of users or customers for the use and disclosure of such data is obtained, could increase our costs and could require us to modify our products or operations, possibly in a material manner, and may limit our ability to develop new services and features that make use of the data that our users and customers voluntarily share, or may limit our ability to store and Process customer data and operate our business. Data protection legislation is also becoming increasingly common in the U.S. at both the federal and state level. For example, California enacted legislation, the CPRA, which affords consumers expanded privacy protections. The potential effects of this legislation are far-reaching and have required Weave to implement enhanced practices and policies in an effort to comply. Specifically, the CCPA gives California residents expanded rights to request access to and deletion of their personal information, opt out of certain personal information sharing and receive detailed information about how their personal information is used. The CCPA also provides for civil penalties for violations, as well as a private right of action for data breaches that may increase data breach litigation. In addition, the CCPA has prompted a number of proposals for new federal and state privacy legislation that, if passed, could increase our potential liability, increase our compliance costs, and adversely affect our business. It remains unclear how much private litigation will ensue under the data breach private right of action. Additionally, the CPRA, which became fully effective on January 1, 2023, expanded the rights of California residents with respect to their personal information. The CPRA, among other things, gives California residents the ability to limit use of certain sensitive personal information, further restrict the use of cross-contextual advertising, establish restrictions on the retention of personal information, expand the types of data breaches subject to the CCPA's private right of action, provide for increased penalties for CPRA violations concerning California residents under the age of 16, and establish a new California Privacy Protection Agency to implement and enforce the new law which may result in increased regulatory scrutiny of California businesses in the areas of data protection and security. Moreover, at least 18 other states have created state specific privacy laws. Compliance with any newly enacted privacy and data security laws or regulations may be challenging and cost and time-intensive, and we may be required to put in place additional mechanisms to comply with applicable legal requirements. In addition, the various state privacy laws may limit how we use personal information we collect, particularly with respect to marketing and the use of online advertising networks. Furthermore, the FTC and many state attorneys general continue to enforce federal and state consumer protection laws against companies for online collection, use, dissemination and security practices that appear to be unfair or deceptive. There are a number of legislative proposals in the U.S., at both the federal and state level and more globally, that could impose new obligations in areas such as e-commerce and other related legislation or liability for copyright infringement by third parties. We cannot yet determine the impact that future laws, regulations, and standards may have on our business. Change in existing legislation or introduction of new legislation may require us to incur additional expenditures to ensure compliance with such legislation, which may adversely affect our financial condition. We strive to comply with Data Protection Laws and Data Protection Obligations to the extent possible, but we may at times fail, or may be perceived to have failed, to do so. Moreover, despite our efforts, we may not be successful in achieving compliance if our employees, partners, or vendors do not comply with applicable Data Protection Laws and Data Protection Obligations. If our Privacy Policies are found to be inaccurate, incomplete, deceptive, unfair, or misrepresentative of our actual practices-whether in whole or in part-it could have serious consequences. Similarly, a failure or perceived failure to comply with Data Protection Laws or Data Protection Obligations, or a data compromise leading to the unauthorized release or transfer of business or personal information, could also be harmful. Any such issues may increase our compliance and operational costs, limit our ability to market our products or services, and affect our ability to attract and retain customers. They could also restrict or eliminate our ability to process data and lead to enforcement actions, fines, litigation, and significant expenses, including attorney fees. Additionally, they may cause a material adverse impact on our business operations and financial results or lead to other significant harm. Furthermore, any such failure or perceived failure could result in public criticism from consumer advocacy groups, the media, or other sources, potentially causing substantial reputational damage. Our actual or perceived failure to comply with Data Protection Laws, Privacy Policies, and Data Protection Obligations could also subject us to litigation, claims, proceedings, actions, or investigations by governmental entities, authorities, or regulators that could require changes to our business practices, diversion of resources and the attention of management from our business, regulatory oversights and audits, discontinuance of necessary processing, or other remedies that adversely affect our business.

The market for our platform and products is evolving, significantly fragmented and highly competitive, with relatively low barriers to entry in some segments. In many cases, our primary competition is the combination of existing point solutions, such as messaging, phone service, marketing tools, payments, CRM and PMS platforms, analytics and reviews management, that potential customers may already use to manage their practices and in which they have made significant investments. The principal competitive factors in our market include platform breadth, ability to offer an all-in-one solution, ease of deployment and use, industry-specific capabilities and workflows with best-in-class product functionality, depth of integration with leading systems of record, ability to enable differentiated customer engagement, cloud-based delivery architecture, advanced payments capabilities, brand recognition and value and total cost of ownership. Our competitors fall into the following primary categories: - customer interactions management solutions;- customer experience management;- marketing solutions;- business intelligence;- integrated payment providers;- unified communications and telecommunications; and - customer relationship management. We also face competition from the systems of record, including systems of record providers, such as suppliers of PMS, that have significant market penetration and broad market acceptance in the markets that we address. Although these systems do not currently offer the broad functionality provided by our platform or products, if the providers of these systems were to seek to integrate some or all of the functionality offered by our platform or products in the future, either by building that functionality into their systems or through partnerships with third parties, existing or potential customers that use these systems may choose to use that functionality rather than to subscribe to our platform and products. This development could have an adverse effect on our business, operating results and financial condition. If one or more of our competitors were to merge or partner with another of our competitors, the change in the competitive landscape could also adversely affect our ability to compete effectively. For example, sales force automation and CRM vendors could acquire or develop applications that compete with our marketing software offerings. Some of these companies have in the past acquired social media marketing and other marketing software providers to integrate with their broader offerings, which may increase the competition we experience from those third parties. Some of our competitors and potential competitors are larger and have greater name recognition, longer operating histories, more established customer relationships, larger budgets and significantly greater resources than we do. In addition, they have the operating flexibility to bundle competing products and services at little or no perceived incremental cost, including offering them at a lower price as part of a larger sales transaction. As a result, our competitors may be able to respond more quickly and effectively than we can to new or changing opportunities, technologies, standards or customer requirements. In addition, some competitors may offer products or services that address one or a limited number of functions at lower prices, with greater depth than our products or in different geographies or in vertical markets. Customers utilize our products in many ways and use varying levels of functionality that our products offer or are capable of supporting or enabling within their applications. Customers that use only limited functionality in our platform or products may be able to more easily replace our products with competitive offerings. In addition, some of our customers may choose to use our platform and products and our competitors' products at the same time. Moreover, as we expand the functionality of our platform and products to include additional solutions, address new healthcare vertical markets and enter new markets outside the U.S., we may face additional sources of competition. We cannot be sure that we will compete as successfully against companies with products that offer solutions in those markets as we have to date. In addition, we cannot be sure we will compete successfully against incumbent providers of solutions with established brands and market presence if we enter new healthcare vertical markets and new markets outside the U.S.. In addition, some of our competitors have lower list prices than us, which may be attractive to certain customers even if those products have different or lesser functionality. Our current and potential competitors may also develop and market new products and services with comparable functionality to our products, and this could lead to us having to decrease our prices in order to remain competitive. If we are unable to maintain our current pricing due to competitive pressures, our margins will be reduced and our business, results of operations and financial condition would be adversely affected. In addition, increased competition generally could result in reduced revenue, reduced margins, increased losses or the failure of our products to achieve or maintain widespread market acceptance, any of which could harm our business, results of operations and financial condition.

We believe that maintaining and enhancing our brand identity and increasing market awareness of our company, platform and products are critical to achieving widespread acceptance of our platform, to strengthen our relationships with our existing customers and to our ability to attract new customers. The successful promotion of our brand will depend largely on our continued marketing efforts, our ability to continue to offer high quality products and support, our ability to successfully integrate our platform with a broad range of PMS, and our ability to successfully differentiate our platform and products from competing offerings. Our brand promotion activities may not be successful or yield increased revenue. As we seek to expand our customer base by targeting additional healthcare vertical markets in the future, we will need to establish brand awareness in new markets in which we have not historically had a presence. Although we have invested in promoting our brand generally, we may not have significant brand awareness in these new healthcare vertical markets, and will need to make additional investments to expand awareness of our brand in the new healthcare vertical markets we seek to address. In addition, as and to the extent we seek to expand our reach internationally, we will need to invest in establishing awareness of our brand in new international markets. From time to time, our customers have provided negative feedback about our platform and products, such as about our pricing and customer support. If we do not handle customer feedback effectively, then our brand and reputation may suffer, our customers may lose confidence in us and they may reduce or cease their use of our products. In addition, many of our customers post and discuss on social media about internet-based products and services, including our platform and products. Our success depends, in part, on our ability to generate positive customer feedback and minimize negative feedback on social media channels where existing and potential customers seek and share information. If actions we take or changes we make to our platform or products upset these customers, then their online commentary could negatively affect our brand, reputation and customer trust. Complaints or negative publicity about us, our platform or products could adversely impact our ability to attract and retain customers, our business, results of operations and financial condition. The promotion of our brand requires us to make substantial expenditures, and we anticipate that these expenditures will increase as our market becomes more competitive and as we expand into new markets. To the extent these activities increase revenue, this revenue may not be enough to offset the increased expenses we incur. If we do not successfully maintain and enhance our brand, then our business may not grow, we may have to lower our prices to compete and we may lose customers, all of which would adversely affect our business, results of operations and financial condition.

We leverage third-party independent contractors to install a portion of our customer premises equipment and implement integrations. These services are critical because a failure to properly install our product can lead to reduced operability and poor customer satisfaction. While we currently provide customers with a list of reputable independent installers from which they may select their installer of choice, a quality installation may not be delivered, which would impact customer experience. To the extent our third-party independent contractors perform low-quality installations, we may need to devote additional resources to the identification and monitoring of such independent installers. Additionally, if the installers used by customers fail to provide the quality of service that our customers expect, we may lose existing customers, our reputation and market acceptance of our platform and products could suffer, our sales could decline and we may experience increased warranty claims and costs, any of which would harm our business.

We currently market our platform and products only in the U.S. and Canada. We may open additional international offices and hire employees to work at these offices in order to gain access to additional technical talent. For example, we opened an office in India in 2021 and as of December 31, 2024 had approximately 100 employees in India to further our engineering and administrative operations. Additionally, in 2023 we began utilizing resources in the Philippines to supplement our customer support operations and in 2024 we expanded resources in the Philippines to supplement our revenue operations organization. Operating in international markets requires significant resources and management attention and will subject us to regulatory, economic and political risks in addition to those we already face in the U.S.. Because of our limited experience with international operations or with developing and managing sales in international markets, our international expansion efforts may not be successful. In addition, we will face risks in doing business internationally that could adversely affect our business, including: - the difficulty of managing and staffing international operations and the increased operations, travel, infrastructure and legal compliance costs associated with servicing international customers and operating numerous international locations;- our ability to effectively price our products in competitive international markets;- new and different sources of competition or other changes to our current competitive landscape;- understanding, reconciling and complying with different technical standards, telecommunications and payment processing regulations, registration and certification requirements outside the U.S., which could prevent customers from deploying our platform and products and limit the features and functionality we may be able to provide or limit their usage;- potentially greater difficulty collecting accounts receivable and longer payment cycles;- higher or more variable network service provider fees outside of the U.S.;- the need to adapt and localize our products for specific countries;- the need to offer customer support in various languages;- difficulties in understanding and complying with local laws, regulations and customs in non-U.S. jurisdictions;- export controls and economic sanctions administered by the Department of Commerce Bureau of Industry and Security and the Treasury Department's Office of Foreign Assets Control;- compliance with various anti-bribery and anti-corruption laws such as the Foreign Corrupt Practices Act;- changes in international trade policies, tariffs and other non-tariff barriers, such as quotas and local content rules;- more limited protection for intellectual property rights in some countries;- adverse tax consequences;- fluctuations in currency exchange rates, which could increase the price of our products outside of the U.S., increase the expenses of our international operations and expose us to foreign currency exchange rate risk;- fluctuations in exchange rates and the resulting impact on our business;- restrictions on the transfer of funds;- deterioration of political relations between the U.S. and other countries;- the impact of natural disasters and public health epidemics or pandemics on employees, contingent workers, partners, travel and the global economy and the ability to operate freely and effectively in a region that may be fully or partially on lockdown; and - political or social unrest or economic instability in a specific country or region in which we operate, which could have an adverse impact on our operations in that location. Also, due to costs from our international expansion efforts and network service provider fees outside of the U.S., which can be higher than domestic rates, our gross margin for international customers may be lower than our gross margin for domestic customers. As a result, our gross margin may be adversely impacted and fluctuate as we expand our operations and customer base worldwide. Our failure to manage any of these risks successfully could harm our international operations, and adversely affect our business, results of operations and financial condition.

A significant natural disaster, such as an earthquake, fire or flood, occurring at our headquarters, at one of our other facilities or where a business partner is located could adversely affect our business, results of operations and financial condition. Further, if a natural disaster or man-made problem were to affect our network service providers or internet service providers, this could adversely affect the ability of our customers to use our platform and products. In addition, natural disasters, pandemics, and acts of terrorism could cause disruptions in our or our customers' businesses and national or regional economies. Health concerns or political or governmental developments in countries in which we or our customers, partners and service providers operate could result in economic, social or labor instability and could have an adverse effect on our business and our results of operations and financial condition. We also rely on our network and third-party infrastructure and enterprise applications and internal technology systems for our engineering, sales and marketing and operations activities. Although we maintain incident management and disaster response plans, in the event of a major disruption caused by a natural disaster or man-made problem, we may be unable to continue our operations and may endure system interruptions, reputational harm, delays in our development activities, lengthy interruptions in service, breaches of data security and loss of critical data, any of which could adversely affect our business, results of operations and financial condition. In addition, computer malware, viruses and computer hacking, fraudulent use attempts and phishing attacks have become more prevalent in our industry, have occurred on our platform in the past and may occur on our platform in the future. Though it is difficult to determine what, if any, harm may directly result from any specific interruption or attack, any failure to maintain performance, reliability, security, integrity and availability of our platform and products and technical infrastructure to the satisfaction of our users may harm our reputation and our ability to retain existing users and attract new users.